Privacy Act of 1974; System of Records

#  Privacy Act of 1974; System of Records

**AGENCY:**

National Credit Union Administration (NCUA).

**ACTION:**

Notice of a modified system of records.

**SUMMARY:**

This notice informs the public of the National Credit Union Administration's (NCUA's) proposal to modify system of records notice NCUA-19. This system of records serves as the core financial and acquisition system and integrates NCUA's program, financial, and budgetary information.

**DATES:**

Submit comments on or before January 20, 2026. This modification will be effective immediately, and new routine uses will be effective on January 20, 2026.

**ADDRESSES:**

You may submit comments by any of the following methods, but please send comments by one method only:

• *Mail:* Address to Melane Conyers-Ausbrooks, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314-3428.

• *Email:* Comments may be sent to *[email protected].*

**FOR FURTHER INFORMATION CONTACT:**

Chief Financial Officer, Office of the Chief Financial Officer, NCUA, 1775 Duke Street, Alexandria, VA 22314 or Jennifer Harrison, Office of General Counsel, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314 or by phone at (703) 518-6540.

**SUPPLEMENTARY INFORMATION:**

Pursuant to the Privacy Act of 1974, the NCUA proposes modifying NCUA-19 to provide new routine uses in accordance with Office of Management and Budget (OMB) Memorandums M-17-12 and M-25-32 and to update the format in accordance with OMB Circular A-108.

Additionally, the NCUA is making substantive changes to the following sections of the system of records notice:

1. NCUA has updated the Routine Uses of Records Maintained in the System to include four new routine uses and to include a full list of relevant routine uses and remove references to “standard routine uses”; Routine Use 16 allows for the sharing for the purpose of collecting or assisting in the collection of delinquent debts and Routine Uses 1, 14, and 15 are being published in accordance with M-17-12 and M-25-32.

2. NCUA has updated Policies and Practices for Storage of Records to reflect updated storage processes.

3. NCUA has updated Administrative, Technical, and Physical Safeguards to accurately reflect how these records are protected.

4. NCUA has updated Record Access, Contesting Record, and Notification Procedures to accurately reflect the NCUA procedures as detailed in 12 CFR 792.55.

The NCUA is making non-substantive modifications to the following sections of the system of records notice: Security Classification, System Location, Authority for Maintenance of the System, Purpose(s) of the System, Categories of Individuals Covered by the System, Categories of Records in the System, Record Source Categories, Policies and Practices for Retrieval of Records, Policies and Practices for Retention and Disposal of Records, and History.

Non-substantive modifications have also been made to ensure that the format of NCUA-19 aligns with the guidance set forth in Office of Management and Budget Circular A-108.

By the National Credit Union Administration Board on December 16, 2025.

Melane Conyers-Ausbrooks,

Secretary of the Board.

**SYSTEM NAME AND NUMBER:**

NCUA Financial and Acquisition Management System, NCUA-19.

**SECURITY CLASSIFICATION:**

Unclassified.

**SYSTEM LOCATION:**

(1) Enterprise Services Center, 6500 South MacArthur Blvd., Oklahoma City, OK 73169 and (2) Office of the Chief Financial Officer (OCFO), National Credit Union Administration (NCUA), 1775 Duke Street, Alexandria, VA 22314.

**SYSTEM MANAGER(S):**

Chief Financial Officer, Office of the Chief Financial Officer, NCUA, 1775 Duke Street, Alexandria, VA 22314.

**AUTHORITY FOR MAINTENANCE OF THE SYSTEM:**

12 U.S.C. 1751, *et seq.;* 31 U.S.C. 3501, *et seq.;* and 31 U.S.C. 7701(c). Where the employee identification number is the Social Security number, collection of this information is authorized by Executive Order 9397.

**PURPOSE(S) OF THE SYSTEM:**

This system serves as the core financial and acquisition system and integrates program, financial, and budgetary information. Records are collected to ensure that all obligations and expenditures are in conformance with laws, existing rules and regulations, and good business practices, and to maintain subsidiary records at the proper account and/or organizational level where responsibility for control of costs exists.

**CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:**

This system of records includes information about individuals who may be current and former NCUA employees and interns; current and former contractors, suppliers or vendors; and current and former customers.

**CATEGORIES OF RECORDS IN THE SYSTEM:**

The system of records includes (1) individual NCUA employees' names, addresses, and Social Security numbers (SSNs); (2) individual contractors, vendors, customers, individual names of companies, points of contact, telephone numbers, mailing addresses, email addresses, contract numbers, vendor numbers including Data Universal Numbering System (DUNS) and Tax Identification Number (TIN) numbers, which can be an SSN in the case of individuals set up as sole proprietors and; (3) financial information includes an individual's financial institution name, lockbox number, routing transit number, deposit account number, account type, debts ( *e.g.,* unpaid bills/invoices, overpayments, etc.), and remittance addresses.

**RECORD SOURCE CATEGORIES:**

The sources of records for this system are the individual upon whom the record is maintained; other government agencies; contractors, vendors; or from another NCUA office maintaining the records in the performance of their duties. Information maintained in Department of Transportation, (DOT)/Enterprise Service Center (ESC) systems includes purchase orders, contracts, vouchers, invoices, contracts, disbursements, receipts/collections, *Pay.Gov* transactions, and related records; U.S. General Services Administration (GSA) Federal personnel payroll system (for payroll disbursement postings): Concur (for travel disbursements); JPMorgan Chase (for charge card payments); travel advance applications; other records submitted by individuals, employees, and vendors.

**ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:**

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, these records or information contained therein may specifically be disclosed outside NCUA as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

1. To the U.S. Department of the Treasury when disclosure of the information is relevant to review payment and award eligibility through the Do Not Pay Working System for the purposes of identifying, preventing, or recouping improper payments to an applicant for, or recipient of, Federal funds, including funds disbursed by a state (meaning a state of the United States, the District of Columbia, a territory or possession of the United States, or a federally recognized Indian tribe) in a state-administered, federally funded program.

2. Records may be shared with a vendor that NCUA is doing business with if a dispute about payments or amounts due arises. In such a situation, only the minimum amount of information needed to resolve the dispute will be shared with the vendor.

3. If a record in this system of records indicates a violation or potential violation of civil or criminal law or a regulation, and whether arising by general statute or particular program statute, or by regulation, rule, or order, the relevant records in the system or records may be disclosed as a routine use to the appropriate agency, whether federal, state, local, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto.

4. A record from this system of records may be disclosed as a routine use to a federal, state, or local agency which maintains civil, criminal, or other relevant enforcement information or other pertinent information, such as current licenses, if necessary, to obtain information relevant to an agency decision concerning the hiring or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant, or other benefit.

5. A record from this system of records may be disclosed as a routine use to a federal agency, in response to its request, for a matter concerning the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting agency's decision in the matter.

6. A record from this system of records may be disclosed as a routine use to an authorized appeal grievance examiner, formal complaints examiner, equal employment opportunity investigator, arbitrator or other duly authorized official engaged in investigation or settlement of a grievance, complaint, or appeal filed by an employee. Further, a record from this system of records may be disclosed as a routine use to the Office of Personnel Management in accordance with the agency's responsibility for evaluation and oversight of federal personnel management.

7. A record from this system of records may be disclosed as a routine use to officers and employees of a federal agency for purposes of audit or oversight operations related to this system of records, but only such records as are necessary and relevant to the audit or oversight activity.

8. A record from this system of records may be disclosed as a routine use to a member of Congress or to a congressional staff member in response to an inquiry from the congressional office made at the request of the individual about whom the record is maintained.

9. A record from this system of records may be disclosed as a routine use to the officers and employees of the General Services Administration (GSA) in connection with administrative services provided to this Agency under agreement with GSA.

10. Records in this system of records may be disclosed as a routine use to the Department of Justice, when: (a) NCUA, or any of its components or employees acting in their official capacities, is a party to litigation; or (b) Any employee of NCUA in his or her individual capacity is a party to litigation and where the Department of Justice has agreed to represent the employee; or (c) The United States is a party in litigation, where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation, provided, however, that in each case, NCUA determines that disclosure of the records to the Department of Justice is a use of the information contained in the records that is compatible with the purpose for which the records were collected.

11. Records in this system of records may be disclosed as a routine use in a proceeding before a court or adjudicative body before which NCUA is authorized to appear (a) when NCUA or any of its components or employees are acting in their official capacities; (b) where NCUA or any employee of NCUA in his or her individual capacity has agreed to represent the employee; or (c) where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation, provided, however, NCUA determines that disclosure of the records to the Department of Justice is a use of the information contained in the records that is compatible with the purpose for which the records were collected.

12. To contractors, experts, consultants, and the agents thereof, and others performing or working on a contract, service, cooperative agreement, or other assignment for the NCUA when necessary to accomplish an agency function or administer an employee benefit program.

13. A record from this system of records may be shared with the Office of Management and Budget (OMB) in connection with the review of private relief legislation as set forth in OMB Circular A-19 at any stage of the legislative coordination and clearance process as set forth in that circular.

14. To appropriate agencies, entities, and persons when (1) the NCUA suspects or has confirmed that there has been a breach of the system of records; (2) the NCUA has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the NCUA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the NCUA's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

15. To another Federal agency or Federal entity, when the NCUA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

16. To the Department of the Treasury, federal debt collection centers, other appropriate federal agencies, and private collection contractors or other third parties authorized by law, for the purpose of collecting or assisting in the collection of delinquent debts owed to NCUA.

**POLICIES AND PRACTICES FOR STORAGE OF RECORDS:**

Records are maintained in paper and/or electronic form. Paper records are stored in locked file rooms and/or file cabinets. Electronic records and backups are stored on secure servers, approved by NCUA's Office of the Chief Information Officer, within a FedRAMP-authorized commercial Cloud Service Provider's Software-as-a-Service solution hosting environment and accessed only by authorized personnel.

**POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:**

Records are retrieved by an employee's name; vendor or contractor name; employee ID; Social Security number (SSN); SSN/Tax Identification Number (TIN) for contractors and vendors doing business with the NCUA; supplier number (system unique) for both employees and vendors; DUNS and DUNS with the last four numbers of an SSN.

**POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:**

Records are maintained and disposed of in accordance with the General Records Retention Schedules issued by the National Archives and Records Administration (NARA).

**ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:**

NCUA has implemented the appropriate administrative, technical, and physical controls in accordance with the Federal Information Security Modernization Act of 2014, Public Law 113-283, S. 2521, and NCUA's information security policies to protect the confidentiality, integrity, and availability of the information system and the information contained therein. Access is limited only to individuals authorized through NIST-compliant Identity, Credential, and Access Management policies and procedures. The records are maintained behind a layered defensive posture consistent with all applicable Federal laws and regulations, including Office of Management and Budget Circular A-130 and NIST Special Publication 800-37. Paper records are maintained in locked file rooms and/or file cabinets accessible only by authorized personnel.

**RECORD ACCESS PROCEDURES:**

Individuals wishing access to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314 or submit a request through email to *[email protected].* The following information must be provided: (1) Full name; (2) Any available information regarding the type of record involved; (3) The address to which the record information should be sent; and (4) Verification of identity. Individuals requesting access must comply with NCUA's Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

**CONTESTING RECORD PROCEDURES:**

Individuals wishing to request an amendment to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314 or submit a request through email to *[email protected].* The following information must be provided: (1) Full name; (2) Any available information regarding the type of record involved; (3) The address to which the record information should be sent; and (4) Verification of identity. Individuals must comply with NCUA's Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

**NOTIFICATION PROCEDURES:**

Individuals requesting access must also comply with NCUA's Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55). An individual may inquire as to whether the system contains information pertaining to the individual by submitting a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314 or submitting a request through email to *[email protected].* The following information must be provided: (1) Full name; (2) Any available information regarding the type of record involved; (3) The address to which the record information should be sent; and (4) Verification of identity. Individuals must comply with NCUA's Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55). If there is no information on the individual, the individual will be so advised.

**EXEMPTIONS PROMULGATED FOR THE SYSTEM:**

None.

**HISTORY:**

81 FR 83281 (November 21, 2016).